1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Known Exploited Vulnerabilities CVE-2025-35939

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it would need to be chained with another vulnerability in order to achieve code execution.
References
  1. https://www.wiz.io/vulnerability-database/cve/cve-2025-35939
CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability primary_impact T1505.003 Web Shell
Comments
This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it can only write files and would need to be chained with another vulnerability in order to achieve code execution.
References
  1. https://www.wiz.io/vulnerability-database/cve/cve-2025-35939
CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability secondary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it can only write files and would need to be chained with another vulnerability in order to achieve code execution.
References
  1. https://www.wiz.io/vulnerability-database/cve/cve-2025-35939